Any thoughts on this?
--Ben
On Fri, Mar 24, 2017 at 5:20 PM, Benjamin Zaitlen <quasiben(a)gmail.com>
wrote:
Hi All,
I'm having some trouble with sessions, clients, and offline access
tokens. Let's say I have a client (APP 1) and I've logged in with OIDC. I
now have a refresh_token and session for APP 1. Using the auth code flow I
can generate an offline_access token (refresh_token) for a second client:
APP 2. When I look in *realms/myrealm/account/sessions, *I see one
session but two clients. At first I thought, great! I was able to get the
auth code flow working and I generated a refresh token for a second client.
But then disaster set in, when I logged out of the APP 1 client with the
URL: *protocol/openid-connect/logout.* I was logged out the session which
included the* second client* and thus the offline access token for APP 2
was effectively revoked.
I've seen a handful of JIRAs related to offline access tokens and logouts
but I think they don't quite cover this usecase. I have two questions:
1. Is it possible, using the auth code flow, to generate a refresh token
in separate session. That is can APP 1 generate an offline_access token for
APP 2 in a separate session without re-authenticating?
2. Can I logout a specific client for a session by passing additional
parameters in the logout URL ?
Thanks,
--Ben